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Incredible Network Growth! 

By 2014... 

• Annual global IP traffic will increase 4x 

• Growing from 176 exabytes to three-quarters 
of a zettabyte (767 exabytes) in four years 



1 ZB = (1,000,000,000,000,000,000,000 
bytes = 10 21 ) 




• Drivers? Video and mobile data 

• Video (TV, VoD, Internet Video, and P2P) will exceed 91 percent of 
global consumer traffic 

• Internet video will grow to over 57% of Internet traffic (12 billion DVDs) 

• Mobile data traffic will double every year, increasing 39 times 

• Peer-to-peer no longer the most voluminous, but still substantial 



Source: Cisco Visual Networking Index: Forecast and Methodology, 2009-2014 
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Evolving Threat Landscape 

Trends affecting Network Security 

• Attacks are becoming more sophisticated (Stuxnet) 

• Attackers are getting better organized 

• Groups out for financial gain, trade secrets or military 
information 

• Organized crime or even government agencies 

• “Speed-bump” defenses are no longer sufficient 

• Social media changes the face of security 

• New attack vector to distribute malware 

• Short URL Service Abuse - you don’t know what you are clicking on 

• Location Service Abuse - the bad guys know where you are 

• Cloud computing and virtualization are imposing new security requirements 

• VMs are less secure than their original bare-metal counterparts 

• Need to find the “needle in the haystack” for Lawful Intercept 

• Sensitive data is increasingly on the move (mobile) 

• Mobile smartphones are computers and as susceptible to attacks. 

• Encryption and VoIP create covert channels to smuggle threats in or data out 
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Opposing Forces 



Network throughputs The network security 

continue to explode threat landscape 

continues to evolve 



i -w w 

X 



Security architects are demanding solutions 

at 10 and 40 Gbps today 

100 Gbps is on the near horizon 
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Next Generation Security Appliances 

Trends 



•Network and security solutions 
traditionally software applications 

•Developed and deployed in network 
appliances based on general 
purpose processors 




NO VISIBILITY 



INCREASED VISIBILITY 




GIGABIT ETHERNET 



REDUCED THROUGHPUT 
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Network Security Appliances 

Requirements 

• Configurable L2-L4 network processing (ACLs) 

• Programmable L4-L7 intelligence (DPI) 

• Application identification 

• PCRE (signatures), behavioral heuristics 

• Content inspection 

• Stateful flow-based processing 

• Ability to parse traffic across flow boundaries 

• Inspection of encrypted flows (SSL) 

• I/O virtualization 

• Active (Inline), passive, switched, routed topologies 

• Integrated bypass for inline deployment 

• Flexible port configurations (GigE, lOGigE, 40 GigE) 

• Scalable common software architecture 
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APPLICATION 

GET /generate_204 HTTP/1.1; User-Agent: Mozilla/5.0 
Accept Encoding: gzip, deflate; 
Accept-Charset: ISO-8859- 1, utf-8 

TRANSPORT 

src port: 1 286; dst port: 80; seq num: 1 ; 
next seq num: 81 6; header length: 20 bytes 

NETWORK 

ip src: 1 0.0.0.1 0; ip dst: 64.233.1 61 .1 00 
protocol: TCP; version: 4; 



DATA LINK 

eth src: 00:1 9:b9:a3:42:44 
eth dst: 00:1 5:58:7d:76:ed 
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Flows or Packets? 



Flow Definition Fields 



• More users and more applications 
driving an increase in throughput 

• Results in more individual “network 
conversations” per segment 



• What is a flow? 

• A unidirectional sequence of packets all 
sharing a set of common packet header 
values 

• 2-tuple, 3-tuple, 5-tuple, 7-tuple are 
common criteria 

• 15-tuple used in the OpenFlow specification 

• Most network equipment based on NPUs including Ethernet switches 
and routers processes traffic solely based on packet headers 

• State is not kept on each forwarding decision 

• No memory of previous packets 



Ingress Interface 
Ethernet Source MAC Address 
Ethernet Destination MAC Address 
Ethertype 
VLAN ID 

Source IP Address 
Destination IP Address 
IP Protocol 

TCP/UDP Source Port 
TCP/UDP Destination Port 
ICMP Type/Code 
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Stateful Flow Processing 




r OpenFlow 



• OpenFlow 

• Up to a three-tiered recursive flow table 

• Flow-based network slicing 

• Stateful firewalls 

• Security processing happens at beginning of the flow 

• Flow state is used process the session afterwards 

• IDS/IPS 




• Attacks spread across packets/payloads/fragments 

• Snort Stream5 preprocessor reassembles TCP flow to run 
signature-based rules against whole payload 

• Antivirus 

• Terminate TCP, parse protocol (HTTP, SMTP, P2P) 
reassembles file attachments, scans for threats 




• Next generation firewall 

• IPS + L2 switching, L3 routing, NAPT 
stateful flow processing, App ID 



These applications are 
impossible without stateful 
flow-based processing 
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OpenFlow Networking 



Today’s network needs to be smarter and more 
flexible 

OpenFlow idea is to separate the packet switching 
and control functions 




Google 




Users can freely develop applications independently 
of switching/slicing 

Give customers per-service performance guarantees 

Offer network slices based on comprehensive flow 
forwarding architecture 

Not just a data center technology 

• Carriers involved too 

• New service opportunity 



Internet2 initiative building nation- 
wide OpenFlow/SDN Network 



T 



Deutsche 

Telekom 




verizon iff / 
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Network Security Workloads 

Comparison 

• Applications requiring sophisticated packet, flow, and 
security processing require a very high instruction rate 



Function 


Cycles required 


L2 switching 


75 


L3 routing 


200 


L2-4 packet 
classification 


1,000 


Stateful firewall 


2,000 


OpenFlow Switch 


3,000 | 


IDS/IPS 


5,000 


Lawful intercept / 
DPI 


6,500 


NG stateful firewall 


8,500 


IP Sec / SSL 


12,000 


NGFW+ SSL 


20,500 





Intelligence 
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Processor Comparison 



• Network security equipment designers have to consider computing 
workload needs when choosing their product architecture 



• General Purpose CPUs 

• Intel Xeon 5645 

• 6 cores @ 2.4 Ghz 

• 14.4 billion instructions per second 

• Multicore MIPS 

• 4 cores @ 2 Ghz 

• 8 billion instructions per second 

• Multicore MIPS 

• 8 cores @ 1 .5 Ghz 

• 12 billion instructions per second 

• Programmable Network Flow Processors 

• Netronome NFP 

• 40 cores @ 1 .4 Ghz 

• 56 billion instructions per second 
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Network Security Workloads 

Comparison 



Internet Packet Size 
Distribution 

60 



• General purpose processors are 
inadequate for network security 
applications in real-world use cases 




Instructions Required for line rate operation @10 Gbps 



Packet 

Size 


L2 

switching 


L3 

routing 


L2-L4 

classification 


Stateful 

firewall 


IDS/IPS 


Lawful 
Intercept / 
DPI 


NG stateful 
firewall 


IP Sec / 
SSL 


NGFW + 
SSL 


64 


1.12 B 


2.98 B 


14.9 B 


29.8 B 


74.4 B 


96.7 B 


126.5 B 


178.6 B 


305.1 B 


128 


633 M 


1.69 B 


8.5 B 


16.9 B 


42.3 B 


54.9 B 


71.8 B 


101.4 B 


173.1 B 


256 


340 M 


906 M 


4.5 B 


9.1 B 


22.6 B 


29.4 B 


38.5 B 


54.3 B 


92.8 B 


440 


204 M 


543 M 


2.7 B 


5.4 B 


13.6 B 


17.7 B 


23.1 B 


32.6 B 


55.7 B 


512 


176M 


470 M 


2.4 B 


4.7 B 


11.7 B 


15.3 B 


19.9 B 


28.2 B 


48.2 B 


1024 


143 M 


383 M 


1.9 B 


3.8 B 


9.6 B 


12.5 B 


1S3 B 


^^B 


3^ B 


1500 


61 M 


163 M 


813 M 


1.6 B 


4.1 B 


5.3 B 


6.9 B 


9.8 B 


16.7 B 
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Intelligent Offloads 

The Solution 

• The x86 architecture suffers in 
data plane and security intense 
applications 

• Combine general purpose x86 
cores with network flow processor 
cores for pre-processing 

• Scale networking and security 
plane independently from x86 
application and control plane 
processing 



Introduce an intelligent l/O- 
coprocessor to accelerate x86 
multicore CPUs 
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Multicore O 

Flow Processor < Multicore x86 



A dual Xeon , dual NFP 
system solution 
provides 126 B 
instructions/second 
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Applying the Heterogeneous Architecture 

Acceleration Mechanisms and offloads 



• Packet classification/filtering 

• Efficient delivery of data directly to 
Linux user mode applications 



• Off-loading protocol specific 
functions, e.g. IP or TCP related 
processing 



• Load balancing to application 
instances on x86 cores 

• Stateful flow management 

• Pin flows to core destinations 

• Redirect/drop flows 

• Port to port forwarding ("cut- 
through" of trusted traffic or of the 
remaining packets of a flow) 

• L2/L3 forwarding, NAPT, VPN 

• Cryptography, PKI, TRNG 



x86 CPU 



MULTICORE x86 ARCHITECTURE 




itnU-LUrT 

API/PCAP DRIVER 



NFP 



Rx 




INTEGRATED 
LOAD BALANCER 



Cut-through 



Tx 



r 
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Deep Packet Inspection/Lawful Intercept 

In a heterogeneous multicore architecture 




Deep Packet 
Inspection 



Application- 

specific 

classification 



x86 



Customer 

Application 



!/ Load * 
balance ! 

\ group Application 

VT L 1 



f 3 

Redirect flows 
to specific 
destinations 



Customer 

Application 

2 



2 \ 

Update ' 
hardware-driven 
flow policy 



Customer 

Application 

3 



Flow 

Classification 



• Packets are classified on 
ingress 

• Sent to x86 for DPI 
processing 

• Results in application or 
protocol awareness 

• New classification rule 
programmed to NFP for 
each flow 
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• Application/control plane 

processing 

• Deep packet inspection 

• Content inspection, 
behavioral heuristics, 
forensics, PCRE 



• L2-L7 classification 

• Stateful flow processing 
• Cryptography/PKI operations 

• Flow-based load balancing 

• L2 switching/L3 routing 

• NAPT/VPN 



• L2-L4 packet classification 
• Packet-based load balancing 



• Physical Interfaces 
• Integrated bypass relays 
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Netronome Network Flow Processing 

Application and Control Plane Processing 
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Xeon 



x86 CPU 



L2-L7 Flow 
Processing 



L2-L4 Packet 
Processing 



• •• 



X Over 2,000 

^ ' Endpoints 



Load Balancing 




20 Gbps L2-L7 
Flow Processing per NFE 



\ r 



Load Balancing 






240/480 Gbps L2-L4 Packet 
Classification, Filtering, Load Balancing 




4x1 GbE 



Network Modules with Integrated Bypass 
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Real World Benchmark 

Intrusion Prevention System 
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Independent validation 

• NSS Labs 

• April 2011 IPS test report 

IPS use case 

• Computationally intense 

• Application- and data-planes 

• >4000 PCRE rules 

• Variable packet sizes, protocol mix 

• Inline measurements - latency 



Results 

• 80 Gbps system throughput 

• 66 Gbps large mix 

• 48 Gbps strenuous iMix 

• 98% security effectiveness 

• 60 million flows 

• ~ 500K TCP and HTTP - CPS 

• <100uS latency 

• Greenest TCO 

• All without application optimization 
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BACKUP 
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NFP-3200 Summary 



• High performance 

• 40 cores @1.4 GHz 

• 1 ,800 instructions / packet at 30M pps 

• 40 Gbps of packet, flow, and content 
processing 

• I/O Virtualization 

• PCIe v2.0 with IOV support 

• Highly Integrated Design 

• 40Gbps of line-rate security/crypto 

• Integrated MAC, PKI, PCIe, 

Interlaken, ARM 

• Unmatched ease of use 

• Proven tools, software development 
kit, product-ready software, reference 
platforms 
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Netronome Overview 



• 40 Gbps Network Flow Processors 

• Intelligent Network Optimized Acceleration 
cards 

• Flow processing platform solutions up to 
lOOGbps 




Intelligent to the Core ™ 



<cLWork 

,iowProce c 



• Comprehensive development tools 

• Software Libraries and OEM Applications 

• NFM Open Flow Manager Software APIs 

• IPS, SSL, NG Firewall enabling software 
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Netronome Processors & PCIe Cards 



NFP-3240-based PCIe Cards 

• 20Gbps of line-rate packet and flow processing 
per NFE 

• 6x1 GigE, 2x10GigE (SPF+), netmod interfaces 

• PCIe Gen2 (8 lanes) 




• Virtualized Linux drivers via SR-IOV 




• Flexible/configurable memory options 

• Packet time-stamping with nanosecond granularity 

• Integrated cryptography 








• Hardware-based stateful flow management * — ' 

• TCAM-based traffic filtering 

• Dynamic flow-based load balancing to x86 CPUs 


m TTnOrl 

' — - — - ... ^ 



Highly programmable , intelligent, virtualized acceleration cards 
for network security appliances and virtualized servers 
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Network Flow Processing Platforms 





• Standard 1U/2U platforms 

• 3 layers of processing 

• Modular interface options 

• Industry-leading port density 

• Flexible clustering support 

• High availability 



Flexible solution allows 
customizable configuration 
of port types, densities and 
processing power 
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Appliance Clustering 



• For certain compute 
intensive security 
applications, I/O outpaces 
CPU resources 

• Each clustered appliance 
adds up to 80 NFP cores 
and 12 x86 cores 





Clustered configurations 
can scale to 100’s of Gbps 
of throughput 
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